jaleelsyed / fx-local

0 stars 0 forks source link

insecure_cookies on DELETE:/api/v1/orgs/{id} #300

Open jaleelsyed opened 1 year ago

jaleelsyed commented 1 year ago

Title: insecure_cookies Vulnerability on DELETE:/api/v1/orgs/{id} Project: NB 58 Description:

Assertion

Overview: Cookies are commonly used to conveniently store information client side, such as for API authentication. If used with insecure settings they can be used as an attack vector and a source of data leaks. This category checks the cookies are set to only be allowed over a secure connection and they cannot be accessed by client side javascript. The secure connection keeps them from being intercepted. Not allowing javascript to read the values will help keep malicious websites from harvesting the cookie data.

<p><font style="color: #ef5350;"><b>Severity:</b> High</font></p>
<p><font style="color: #ef5350;"><b>Impact:</b> High</font></p>
<p><font style="color: #ef5350;"><b>Exploitation:</b> High</font></p>

<p><font style="color: #ef5350;"><b>References:</b></font>
    <ul>
        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security">Mozilla guide on secure cookies</li>
        <li><a href="https://owasp.org/www-community/controls/SecureCookieAttribute">OWASP guide on secure flag</li>
        <li><a href="https://owasp.org/www-community/HttpOnly">OWASP guide on httpOnly flag</a></li>
    </ul>
</p>Risk: insecure_cookies

Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/orgs/FymlDAoR Environment: Master Playbook: ApiV1OrgsIdDeleteInsecureCookies Researcher: Default

QUICK TIPS

Suggestion: Effort Estimate: null Hrs Wire Logs:

IMPORTANT LINKS

Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869cbbe1895/details

Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard

Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList

Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc823d85bef6cb0185c869930d41f6

Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1OrgsIdDeleteInsecureCookies

Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories

Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869cbbe1895/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---